[tor-dev] File verification GUI tool

adrelanos adrelanos at riseup.net
Mon Sep 23 23:00:36 UTC 2013


Nima:
> Sherief Alaa:
>> But this is all an endless chain because lets say I download TBB, then
>> download gpg to verify it but then how do I make sure that gpg it self
>> wasn't tampered with? (assuming I don't have it installed already.)
> 
> Indeed that's an endless chain and turtles all the way down. plus (as
> you already mentioned) you also need to install gpg for osx and windows;

Yes.

> Which in windows case there's absolutely no secure way to download pgp
> itself.

I agree.

(There is at least a more secure than no security at all way to obtain it.)
[tor-talk] Getting a GnuPG version for Windows in a secure way
https://lists.torproject.org/pipermail/tor-talk/2013-August/029256.html

> Poor windows users are screwed by *design*
> 
> That being said, I totally support making this process easier. In fact,
> I dream a day where TBB could itself (or TorButton perhaps) check and
> see if all of it's executable files are identical to the latest version
> on repository in a secure way without confusing (or even say noticing)
> the average user.
> 
> Maybe this can be part of the auto-update project?

This wouldn't solve how users could safely obtain it in the first place.
Having the auto-updater working is a separate issue worth solving.

> But whatever it is, it can't be a simple tiny app.

I totally agreed with that in a separate mail.


More information about the tor-dev mailing list